Unofficial news and tips about Google

March 4, 2007

SuperGenPass - Simple Password Generator

Yesterday I suggested some ideas to keep your passwords secure. In the comments, Thunder Rabbit pointed to a very simple solution to generate secure passwords, without having to remember them. SuperGenPass is a bookmarklet (a bookmark consisting mostly of JavaScript code) that uses a master password as a seed to create passwords for different sites. The nice thing is that the script generates the same password for a domain, but the process is unidirectional: you can't obtain the master password from a generated password. It's also cool that your master password is not stored anywhere (unless you want it to be stored in the bookmarklet).

The script works for any browser, but for Internet Explorer it needs to download some JavaScript code because of IE's limitations. If you don't want to rely on that site, you can save it to your site.

If you decide to use this solution, you'll have to change your passwords for each site where you want to use passwords generated by SuperGenPass. You can first try it with an unimportant site to see if you like it. Also you'll have to stop storing passwords in your browser or other password managers.

How will you use it?* type the username and the master password when you log in * click on the bookmarklet [extra-click]* click on "Populate" [extra-click]* submit the form

So two extra-clicks, no required software, no stored password and just a bookmarklet that could be easily stored on a USB drive (there's an alternative page for mobile phones). And, best of all, you can use a single password for all the sites that need one.

"And, best of all, you can use a single password for all the sites that need one."

I wouldn't do that. I am using the predecessor of SuperGenPass as well, still I don't use it for _really_ important stuff like e-banking.

In the unlikely case that your master password gets detected (e.g. by a keyboard sniffing trojan on a compromised computer) - then all of your passwords are known. That small risk is acceptable for all my throwaway and social media accounts, but not for the critical stuff, for which I use a separate password. (note: this also implies that I don't access that really important stuff on machines that I don't trust, e.g. in internet cafés...).

The problem with standalone programs (as I;ve just discovered which is why I'm looking at this) is that they're not platform independent. My WM6 smartphone won't run the password generator I've been using for years - it's generated dozens of passwords I use every day.

Now I'm going to have to switch but I only want to do it once, so making it browser based is a reasonably sure way of achieving that independence, even if I switch to Linux for the desktop (which is not unlikely).

This is vulnerable to brute force dictionary attack. If anyone had access to one of your generated password (like so many admins might), they could find out your master password (if it wasn't a random combination of letters and digits). So don't use your dog's name as a master password.